Last week at RSA, Bruce Schneier gave a talk on the top 3 emerging threats on the Internet. Whereas we in the security field usually talk about spam, malware and cyber crime, he talked about three meta-trends that all have the potential to be more dangerous than the cybercriminals (he talks a bit about it here).
Below are my notes.
- The rise of big data
Schneier’s first threat was the rise of Big Data. This is data that is collected by companies like Google, Facebook and Amazon without their users’ knowledge or consent. With technical advancement, the cost of storing data and analyzing it has dropped to almost zero. It is cheaper to save everything than to decide whether or not to delete it (how much email do you delete in your Outlook inbox?). Search has become easier than sort. All of this data is going to the cloud and the cost that dominates is the sysadmin costs. To most users, this is preferable because if they screw up, the data is still there and not deleted. The goal of all of this is for companies to make judgments about us – what we like, what ads are relevant, our credit worthiness, etc.
Why is this a threat?
The reason is Big Data as a lobbying force. It is becoming a powerful industry and a lot of money is invested in being able to buy and sell data (in the US; in Europe it’s different). Therefore, there’s a lot of money invested to make sure that things stay this way, and resist calls for regulation.
- The threat from government
As more and more people move towards doing their daily tasks on the Internet, more crime has moved onto the Internet. This is not because of some inherent weakness of the Internet, but that the criminals are following the money. As a result, more laws relating to the Internet are being passed at the request of law enforcement.
During the middle of the 1990’s, Schneier coined the term “The Four Horseman of the Internet Apocalypse” which were the four areas that law enforcement would crack down on. These were Terrorism, Kidnapping, Drug Dealers and Child Pornography. Politicians want to be seen as tough on crime, and people want to make the ‘net safer. As a result, we get Internet regulations that don’t help; people that aren’t in our community come in and say “Do that and make stuff safer” even though the security industry says that it won’t help.
When we see gov’t intrusion, it’s usually in response to one of those four threats. For example, the NSA required AT&T to allow them to eavesdrop on people without a warrant. In the past, the FBI made phone companies redesign their equipment in order to make listening in easier (consider circuit switching vs. packet switching). With today’s modern communications, people don’t talk to each other over the Internet. The worst case is (for gov’t) Skype; because it is encrypted end-to-end, the FBI cannot listen in the middle without forcing an insecure redesign. Data retention laws are another area where law enforcement is a player. They could force companies to retain data longer in case they want to look at it one day to combat one of the four threats.
It is easy to get bad laws because the force of common sense is a terrible lobbying group. The reason why SOPA and PIPA died is not because common sense prevailed, nor because Wikipedia went dark, but because large companies like Google got behind the blocking of the bills. In other words, powerful lobbies whose interests the bills were not in defeated the bills.
- The cyber arms race
The cyber arms race has lots of rhetoric with lots of exaggeration. There is lots of fear and posture including people in the military who say there are big, scary things that threaten civilization. As a result, they propose technologies be built like an Internet kill switch.
The result of the cyber arms race is more gov’t involvement in standards, more gov’t involvement in offensive attacks (e.g., Stuxnet), and nations stockpiling cyber weapons. The result is less stability in cyber space.
When you have a Cyber Command, you need stuff to do. Therefore, we can expect to see recon missions like we saw during the Cold War. This is the doctrine of Preparing the Battlefield. In the US and China, you penetrate networks to see where the vulnerabilities are working, and perhaps leave behind things that that will help you get in later or set off a logic bomb. The US is currently doing this, and probably China. The problem is that because this is so new, decisions about this sort of thing are being made at a lower level in the command structure.
What does this all mean?
As the stakes become higher, attackers will become more sophisticated with more targeted attacks (e.g., APTs). IT security industry has a lot of technical work to do, but will see less direct consumer work. We will sell directly to the vendor (i.e., Apple) who packages it and sells it to the consumer. Selling to users will fade and instead sell to aggregators. Also, IT industry will have to get involved in politics more and more. Battles are won and lost there; SOPA and PIPA will continue. Finally, good political solutions will be necessary because tech solutions will not be enough.